Publish CVE issue status in JSON CVE feed

[sftim]

This came out of a SIG Security meeting and builds on issue #97

For https://kubernetes.io/docs/reference/issues-security/official-cve-feed/, people reading the site want to find out what's there.

There are different views on what behavior feels right to end users.
@PushkarJ explained the current (at time of writing) behavior is to only list resolved issues; “resolved” means a fix is published.
@IanColdwater gave some context from other projects, some of which only publish CVEs once a fix is available. They mentioned Ubuntu where CVE issues have tags (tracked per release) - https://ubuntu.com/security/cves

This issue is a feature request to add more data to the CVE feed (not the rendered HTML) to show whether the Kubernetes project sees the CVE as:

• open
• not planned
• closed

(conveniently and by intent, we can derive these from GitHub's issues API)

For adding open issues into the rendered HTML CVE feed, see #97

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[PushkarJ]

This is planned to be done as part of beta to GA

/remove-lifecycle rotten

/remove-lifecycle stale

[PushkarJ]

/remove-lifecycle rotten

[PushkarJ]

Did some quick analysis. So wanted to share this here in preparation of implementing this:

REST API: https://docs.github.com/en/rest/issues/issues?apiVersion=2022-11-28#get-an-issue
Field of interest: state (open / closed) state_reason
Possible values for state_reason: completed, not_planned, reopened, null

Actual values we want to translate them into for CVE Status:

state == open -- > "open"
state == closed, state_reason == completed --> "fixed"
state == closed, state_reason == not_planned --> "unfixed"
state == open, state_reason == "reopened" --> "unknown"

Example:

personal-macbook:~ pushkarj$ curl -L   -H "Accept: application/vnd.github+json"    -H "X-GitHub-Api-Version: 2022-11-28"   https://api.github.com/repos/kubernetes/kubernetes/issues/124759
{
  "url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759",
  "repository_url": "https://api.github.com/repos/kubernetes/kubernetes",
  "labels_url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759/labels{/name}",
  "comments_url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759/comments",
  "events_url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759/events",
  "html_url": "https://github.com/kubernetes/kubernetes/issues/124759",
  "id": 2285943659,
  "node_id": "I_kwDOAToIks6IQLtr",
  "number": 124759,
  "title": "CVE-2024-3744: azure-file-csi-driver discloses service account tokens in logs",
  "user": {
    "login": "ritazh",
    "id": 1856066,
    "node_id": "MDQ6VXNlcjE4NTYwNjY=",
    "avatar_url": "https://avatars.githubusercontent.com/u/1856066?v=4",
    "gravatar_id": "",
    "url": "https://api.github.com/users/ritazh",
    "html_url": "https://github.com/ritazh",
    "followers_url": "https://api.github.com/users/ritazh/followers",
    "following_url": "https://api.github.com/users/ritazh/following{/other_user}",
    "gists_url": "https://api.github.com/users/ritazh/gists{/gist_id}",
    "starred_url": "https://api.github.com/users/ritazh/starred{/owner}{/repo}",
    "subscriptions_url": "https://api.github.com/users/ritazh/subscriptions",
    "organizations_url": "https://api.github.com/users/ritazh/orgs",
    "repos_url": "https://api.github.com/users/ritazh/repos",
    "events_url": "https://api.github.com/users/ritazh/events{/privacy}",
    "received_events_url": "https://api.github.com/users/ritazh/received_events",
    "type": "User",
    "site_admin": false
  },
  "labels": [
    {
      "id": 105146071,
      "node_id": "MDU6TGFiZWwxMDUxNDYwNzE=",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/kind/bug",
      "name": "kind/bug",
      "color": "e11d21",
      "default": false,
      "description": "Categorizes issue or PR as related to a bug."
    },
    {
      "id": 116712923,
      "node_id": "MDU6TGFiZWwxMTY3MTI5MjM=",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/area/security",
      "name": "area/security",
      "color": "d93f0b",
      "default": false,
      "description": null
    },
    {
      "id": 357119284,
      "node_id": "MDU6TGFiZWwzNTcxMTkyODQ=",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/sig/auth",
      "name": "sig/auth",
      "color": "d2b48c",
      "default": false,
      "description": "Categorizes an issue or PR as relevant to SIG Auth."
    },
    {
      "id": 778118403,
      "node_id": "MDU6TGFiZWw3NzgxMTg0MDM=",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/lifecycle/frozen",
      "name": "lifecycle/frozen",
      "color": "d3e2f0",
      "default": false,
      "description": "Indicates that an issue or PR should not be auto-closed due to staleness."
    },
    {
      "id": 1199275492,
      "node_id": "MDU6TGFiZWwxMTk5Mjc1NDky",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/committee/security-response",
      "name": "committee/security-response",
      "color": "c0ff4a",
      "default": false,
      "description": "Denotes an issue or PR intended to be handled by the product security committee."
    },
    {
      "id": 2389856656,
      "node_id": "MDU6TGFiZWwyMzg5ODU2NjU2",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/triage/accepted",
      "name": "triage/accepted",
      "color": "8fc951",
      "default": false,
      "description": "Indicates an issue or PR is ready to be actively worked on."
    },
    {
      "id": 3603068678,
      "node_id": "LA_kwDOAToIks7WwncG",
      "url": "https://api.github.com/repos/kubernetes/kubernetes/labels/official-cve-feed",
      "name": "official-cve-feed",
      "color": "0052cc",
      "default": false,
      "description": "Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)"
    }
  ],
  "state": "closed",
  "locked": false,
  "assignee": null,
  "assignees": [

  ],
  "milestone": null,
  "comments": 1,
  "created_at": "2024-05-08T16:02:57Z",
  "updated_at": "2024-05-15T00:45:12Z",
  "closed_at": "2024-05-15T00:45:12Z",
  "author_association": "MEMBER",
  "active_lock_reason": null,
  "body": "CVSS Rating: [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) - **MEDIUM** (6.5)\r\n\r\nA security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions.  Tokens are only logged when [TokenRequests is configured in the CSIDriver object](https://kubernetes-csi.github.io/docs/token-requests.html) and the driver is set to run at log level 2 or greater via the -v flag.\r\n\r\nThis issue has been rated **MEDIUM** [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) (6.5), and assigned **CVE-2024-3744**\r\n\r\n### Am I vulnerable?\r\n\r\nYou may be vulnerable if [TokenRequests is configured in the CSIDriver object](https://kubernetes-csi.github.io/docs/token-requests.html) and the driver is set to run at log level 2 or greater via the -v flag.\r\n\r\nTo check if token requests are configured, run the following command:\r\n\r\nkubectl get csidriver file.csi.azure.com -o jsonpath=\"{.spec.tokenRequests}\"\r\n\r\nTo check if tokens are being logged, examine the secrets-store container log:\r\n\r\nkubectl logs csi-azurefile-controller-56bfddd689-dh5tk -c azurefile -f | grep --line-buffered \"csi.storage.k8s.io/serviceAccount.tokens\"\r\n\r\n#### Affected Versions\r\n\r\n- azure-file-csi-driver <= v1.29.3\r\n- azure-file-csi-driver v1.30.0\r\n\r\n### How do I mitigate this vulnerability?\r\n\r\nPrior to upgrading, this vulnerability can be mitigated by running azure-file-csi-driver at log level 0 or 1 via the -v flag.\r\n\r\n#### Fixed Versions\r\n\r\n- azure-file-csi-driver v1.29.4\r\n- azure-file-csi-driver v1.30.1\r\n\r\nTo upgrade, refer to the documentation: https://github.com/kubernetes-sigs/azurefile-csi-driver?tab=readme-ov-file#install-driver-on-a-kubernetes-cluster \r\n\r\n### Detection\r\n\r\nExamine cloud provider logs for unexpected token exchanges, as well as unexpected access to cloud resources.\r\n\r\nIf you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io\r\n\r\n#### Acknowledgements\r\n\r\nThis vulnerability was patched by Weizhi Chen @cvvz from Microsoft.\r\n\r\nThank You,\r\nRita Zhang on behalf of the Kubernetes Security Response Committee\r\n\r\n/triage accepted\r\n/lifecycle frozen\r\n/area security\r\n/kind bug\r\n/committee security-response",
  "closed_by": {
    "login": "ritazh",
    "id": 1856066,
    "node_id": "MDQ6VXNlcjE4NTYwNjY=",
    "avatar_url": "https://avatars.githubusercontent.com/u/1856066?v=4",
    "gravatar_id": "",
    "url": "https://api.github.com/users/ritazh",
    "html_url": "https://github.com/ritazh",
    "followers_url": "https://api.github.com/users/ritazh/followers",
    "following_url": "https://api.github.com/users/ritazh/following{/other_user}",
    "gists_url": "https://api.github.com/users/ritazh/gists{/gist_id}",
    "starred_url": "https://api.github.com/users/ritazh/starred{/owner}{/repo}",
    "subscriptions_url": "https://api.github.com/users/ritazh/subscriptions",
    "organizations_url": "https://api.github.com/users/ritazh/orgs",
    "repos_url": "https://api.github.com/users/ritazh/repos",
    "events_url": "https://api.github.com/users/ritazh/events{/privacy}",
    "received_events_url": "https://api.github.com/users/ritazh/received_events",
    "type": "User",
    "site_admin": false
  },
  "reactions": {
    "url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759/reactions",
    "total_count": 0,
    "+1": 0,
    "-1": 0,
    "laugh": 0,
    "hooray": 0,
    "confused": 0,
    "heart": 0,
    "rocket": 0,
    "eyes": 0
  },
  "timeline_url": "https://api.github.com/repos/kubernetes/kubernetes/issues/124759/timeline",
  "performed_via_github_app": null,
  "state_reason": "completed"
}

[jbiers]

@PushkarJ is this issue waiting for contributions? I'm interested in getting involved in the sig-security :)

[PushkarJ]

Hi @jbiers yes please. We would love any help you can offer on this! Feel free tag me with questions here or in #sig-security-tooling

[jbiers]

/assign